How to Set Up WiFi with SMS Authentication: A Complete Guide

Providing guest internet access in a café, hotel, or office requires more than just an access point, but a reliable user identification system. Simply knowing the network password WPA2-PSK This often proves insufficient, as the password is easily shared with third parties, making it impossible to track a specific user. This is where authentication technology comes into play. Captive Portal using SMS gateways, which turns an ordinary router into a powerful marketing and analytical tool.

The essence of the method is that when trying to connect to an open network Wi-Fi The user is redirected to a special page. On this page, they enter their phone number, receive a code in a message, and enter it to gain access. This solution allows the network owner to collect a customer contact database, limit session time, and restrict access only to authorized users. Implementing this system requires careful hardware selection and server software configuration.

Implementing an SMS authentication system increases the security of your local network by cutting out random neighbors and malicious intruders. However, it's important to understand that this isn't just a matter of convenience; it's also often a legal requirement for storing traffic logs and user identification. In this article, we'll examine the architecture of such a system in detail, select the appropriate equipment, and configure all the necessary components for stable operation.

Selecting equipment for setting up a hotspot

The foundation of any authentication system is network equipment that manages data flows and routes user requests. Standard home routers purchased at electronics retailers rarely have the built-in capabilities to create a fully functional authentication system. Captive Portal with support for external gateways. For these purposes, professional equipment from vendors such as MikroTik, Ubiquiti or Keenetic with firmware KeeneticOS.

The most popular and flexible solution among system administrators is hardware MikroTikThese devices run on an operating system. RouterOS, which has a built-in module HotspotThis module can redirect HTTP requests to the authorization page, block access until verification is completed, and interact with external RADIUS servers to verify credentials. An alternative is specialized Wi-Fi controllers, such as UniFi Controller, which also support external portals.

⚠️ Attention: When choosing a router, be sure to consider the number of simultaneously connected clients. Cheap models may not be able to handle a load of 20-30 users and may freeze or drop connections when authentication is enabled.

In addition to the router itself, you'll need a stable connection and possibly a dedicated server or cloud platform to process requests. If you're planning to deploy the system in a large shopping center or hotel, it's worth considering an architecture with a dedicated authorization server to avoid overloading the router's processor with heavy scripts and databases.

System architecture: how it works

Understanding how the authorization system works is essential for proper configuration and troubleshooting. The interaction between the client, router, and SMS gateway is represented by a chain of requests. When a user's device attempts to access an internet resource, the router intercepts the request and redirects the browser to the login page. This is achieved through a mechanism called DNS Hijacking or redirecting HTTP requests.

After the user enters a phone number, the router or local script sends a request to an external SMS gateway. The gateway, in turn, generates a random code or password, saves it in temporary storage, and sends a message to the client's number. This entire process takes anywhere from a few seconds to a minute. It's important that there's stable data exchange between the router and the gateway, usually via the protocol. HTTP API or SOAP.

  • 📡 Client device connects to Wi-Fi and tries to open any website.
  • 🚧 Router (Hotspot) blocks access and redirects to the authorization page.
  • 📝 The user enters a phone number into the form on the page.
  • 💌 Authorization server requests a code from the SMS gateway and sends an SMS to the user.
  • ✅ After entering the code, the router receives confirmation and opens internet access.

The key element here is the authorization server, which can be implemented either as a script on the router itself (if memory and functionality allow) or on a remote server. In the case of MikroTik A common setup is for the router to send data to an external PHP script that manages the user database and interacts with the SMS provider.

📊 What type of equipment do you plan to use?
MikroTik
Ubiquiti
Keenetic
Turnkey solution (Hotspot billing)
Other

Connecting and configuring an SMS gateway

The most difficult part of implementation is choosing and configuring an SMS messaging service provider. Routers can't send messages on their own; they require an intermediary. You need to sign a contract with an SMS aggregator or virtual number service that provides an API for programmatic messaging. Popular services offer integration via simple HTTP requests.

To set up, you will need to obtain access keys (API Key) and the sender's ID. This data will be entered into the authorization server configuration. It's important to choose a provider with a high delivery speed (DLR) and good coverage so that clients don't have to wait too long for the code. A delay of more than 30-40 seconds can lead to the user simply leaving the coverage area.

Parameter Description Where to get
API URL Address for sending a request for sending SMS Provider's personal account
Auth Token Secret key for authorizing requests API section in profile
Sender Name Sender's name (e.g. CafeWiFi) Request for provider support
Format Response format (JSON or XML) API documentation

When integrating, consider traffic costs. Each authorization is a paid SMS. To minimize costs, you can set up long session timeouts so that the user logs in once a week rather than each time they connect. Also, some systems only allow SMS to be sent the first time a number is registered.

How to reduce SMS authorization costs?

The most effective method is combined authorization. Offer users an alternative: authorization via social networks (Facebook, VK, Google) or voucher codes that can be distributed in person. Leave SMS as an option for those who don't want to share their social media accounts or don't have any.

Configuring MikroTik Hotspot to work with an external portal

Let's consider practical implementation based on MikroTik RouterOSThe first step is to create a Hotspot profile. In the menu Hotspot You need to create a new profile, specifying the server address and network parameters. Pay special attention to the section Walled GardenThis is a list of addresses accessible to users without authorization. Be sure to add your SMS gateway domains, social media pages (if authorization is required through them), and DNS servers.

Next, the redirection mechanism itself is configured. In the Hotspot profile, in the field HTTP Proxy or via script on-login The logic for accessing the external server is defined. If you are using a ready-made billing solution (for example, Wi-Fi Planet, Sputnik or custom scripts), you will need to specify the address of your portal in the WISPS settings or in the HTTP chap parameters.

/ip hotspot profile

set name=profile1 hotspot-address=192.168.88.1 dns-name=login.wifi

set login-by=http-chap,http-pap

set http-proxy=192.168.88.2:8080

An important step is to download the authorization page files. Standard files MikroTik can be replaced with custom ones containing fields for entering a phone number. Files login.html And status.html They are stored in the router's file system or on an external web server. In the page code, the form must send data (POST request) to the router's address or an intermediate script.

☑️ Hotspot setup checklist

Completed: 0 / 5

Creating a Login Page (HTML/CSS)

The appearance of the page the user sees directly impacts conversion and usability. Standard pages MikroTik They look outdated, so it's recommended to replace them. You'll need basic knowledge of HTML. The page should be responsive, as 99% of users will access it from mobile devices. The page size should be minimal so it loads instantly even with a weak signal.

The attribute must be specified correctly in the form code. action, which will process the entered data. This is usually the address of the router itself ($(link-login-only)) or an external script. The phone number input field must be of the type telto automatically open the numeric keypad on smartphones. It's also helpful to add an input mask so the user can immediately see the number format.

  • 🎨 Design: Use the establishment's logo and corporate colors.
  • 📱 Adaptability: Check the display on screens of different sizes.
  • Speed: Avoid using heavy images and scripts.
  • 📝 Instructions: Briefly write what needs to be done (enter the number, wait for an SMS).

For styling, it's best to use inline CSS or minified external files. Remember that users don't have access to external CDNs (Google Fonts, Bootstrap) until they log in, so all styles must be either inlined in the HTML or stored in Walled Garden. Incorrectly including styles will result in the user seeing a broken layout.

⚠️ Attention: If you use HTTPS for the login page (which is recommended for data security), you must have a valid SSL certificate. Modern smartphone browsers may block access to a page with a self-signed certificate, preventing the user from entering the code.

Legal aspects and data security

The collection of personal data, such as mobile phone numbers, is strictly regulated by law. In Russia, this is Federal Law No. 152-FZ "On Personal Data." By submitting a phone number entry form, you become the personal data operator. This imposes obligations to store, protect, and process this information. You must have a privacy policy and obtain user consent.

The authorization page must include a checkbox indicating consent to the processing of personal data; this cannot be selected by default. The user must also be able to review the document. Failure to comply with these requirements may result in significant fines from regulators.

From a technical perspective, security lies in protecting the user database and logs. Storing numbers in plaintext on the router or in plain text files is bad practice. Data should be transmitted over a secure channel (HTTPS) between the router and the authorization server, as well as between the server and the SMS gateway.

Common problems and their solutions

During operation, you may encounter a number of common issues. One of the most common is that users don't receive SMS messages. This may be due to short codes being blocked by telecom operators, problems with the SMS aggregator, or errors in the number format (for example, the user entered a number without the eight, and the script expects the international format). The solution lies in careful validation of input data on the script side.

Another common issue is the authorization page becoming stuck. The user has entered the code, but access is denied. This is often due to DNS or browser caching. Clearing the cache or using incognito mode to test can help. It's also worth checking your router logs (Log V MikroTik), where authorization attempts and errors are displayed (for example, invalid password or user not found).

If the router loses connection to the authorization server, access may be completely lost. For such cases, it is recommended to set up a backup mechanism, such as creating local voucher codes that are valid even if the connection to the outside world is lost, or opening access to specific MAC addresses.

Is it possible to authorize via SMS for free?

Authorization isn't completely free, as SMS messages are charged to the sender. However, you can minimize costs by using low-cost routes (DLM) or combining SMS with free methods (social media). Some providers offer a trial balance.

Which router is best for a 50-room hotel?

For this number of users, a single router won't be enough. A combination of a powerful router (for example, MikroTik RB4011 or CCR), managing multiple access points (cap ac or Ubiquiti UAP), and, preferably, an external server for the user database.

What should I do if I don't receive an SMS message to a specific operator's number?

Check the delivery status in your SMS gateway account. The number may be blacklisted or your carrier may be blocking your messages. Try changing the sender's route or contact your SMS aggregator's support team.

Do I need to register an access point with Roskomnadzor?

According to current legislation (RF Government Resolution No. 758), information dissemination organizations (IDOs) must store user data. Requirements may vary for public access points (cafes, hotels), but phone number authentication is already a step toward meeting identification requirements.